The tech security industry was still reeling from revelations in The New York Times and the Guardian last week that the intelligence gathering agencies in the U.S. and U.K. were supposedly undermining basic online security and privacy measures. It was the latest in a long line of leaks about the U.S. National Security Agency’s spying efforts intended to thwart terrorism.
But a report that came over the weekend on a Brazilian TV show detailed how the NSA and U.K.’s GCHQ might have impersonated big websites like Google to spy on users, amid claims that it was conducting “economic espionage.”
Fantastico claimed that it had obtained an NSA slide from the Edward Snowden leak revealing this practice:
However, a top secret presentation dated May 2012 is used by the NSA to train new agents step-by-step how to access and spy upon private computer networks – the internal networks of companies, governments, financial institutions – networks designed precisely to protect information.
The name of Petrobras – Brazil’s largest company – appears right at the beginning, under the title: “MANY TARGETS USE PRIVATE NETWORKS.”
Besides Petrobras, e-mail and internet services provider Google’s infrastructure is also listed as a target. The company, often named as collaborating with the NSA, is shown here as a victim.
Other targets include French diplomats – with access to the private network of the Ministry of Foreign Affairs of France – and the SWIFT network, the cooperative that unites over ten thousand banks in 212 countries and provides communications that enable international financial transactions. All transfers of money between banks across national borders goes through SWIFT.
Fantastico’s report — co-authored by the Guardian’s Glenn Greenwald with with TV Globo Reporter Sonia Bridi — pointed out this slide seemed to contradict a statement made by the NSA to The Washington Post a couple weeks ago that it does “not engage in economic espionage”:
“The Department of Defense does engage” in computer network exploitation, according to an e-mailed statement from an NSA spokesman, whose agency is part of the Defense Department. “The department does ***not*** engage in economic espionage in any domain, including cyber.”
The method of attack to conduct such alleged impersonation, according to a Mother Jones report, is known as a “man-in-the-middle (MITM) attack.” It’s a rather well-known technique used by “elite” hackers, the report stated.
This type of attack ties into the current discussion regarding the NSA skirting around encryption, with Mother Jones stating the “brilliance of an MITM attack is that it defeats encryption without actually needing to crack any code.”
Mother Jones turned to cryptologist Matthew Green with Johns Hopkins — a professor who recently was the center of a controversy when the university decided to pull (then backtracked and apologized) his blog post critical of the NSA — for more information:
Browsers are supposed to automatically foil MITM attacks, John Hopkins University cryptography expert Matthew Green told me. They communicate in real time with partners known as certificate authorities, which keep huge databases of internet sites’ “public keys,” or digital signatures. The certificate authorities warn browsers about any sites that they can’t certify as legit—you may have encountered such pop-up warnings.
Watch Green’s interview with Bloomberg News regarding Google’s efforts to encrypt all dtata after reports that the NSA had cracked codes:
But here’s where that system breaks down: Not all certificate authorities are completely trustworthy. “If you are big enough and spend enough money,” Green says, “you can actually get them to give you your own signing key”—the signature that they use to certify websites. With that, the NSA could create a fake certificate for any site on the internet, which is probably what it did when it impersonated Google, Green says. “This is actually relatively easy to do,” he adds, “because there are so many certificate authorities”—between 100 and 200.
As for Google’s perspective on these reports, Mother Jones noted spokesman Jay Nancarrow saying the company has “no evidence of any such thing ever occurring.” Nancarrow included the trademark line of many companies that have been found providing spy agencies with user information: “We provide our user data to governments only in accordance with the law.”
Director of National Intelligence James Clapper released a statement over the weekend after the reports of economic espionage through thwarting of encryption keys.
“It is not a secret that the Intelligence Community collects information about economic and financial matters, and terrorist financing,” he said.
“We collect this information for many important reasons: for one, it could provide the United States and our allies early warning of international financial crises which could negatively impact the global economy,” the statement from Clapper continued. “It also could provide insight into other countries’ economic policy or behavior which could affect global markets.”
What the U.S. agencies do not do, according to the statement, is “use our foreign intelligence capabilities to steal the trade secrets of foreign companies on behalf of – or give intelligence we collect to – US companies to enhance their international competitiveness or increase their bottom line.”
The government’s National Institute of Standards and Technology sought to shore up confidence in the important behind-the-scenes role it plays in setting standards that are used by consumers to make purchases online, access their bank accounts, digitally sign legal documents or file their income taxes electronically. The agency said it “would not deliberately weaken a cryptographic standard” and would continue to work with experts “to create the strongest possible encryption standards for the U.S. government and industry at large.”
The Associated Press contributed to this report. Featured image via Annette Shaff / Shutterstock.com.